WO2022241939A1

WO2022241939A1 - Network security management method and computer device

Info

Publication number: WO2022241939A1
Application number: PCT/CN2021/107139
Authority: WO
Inventors: 邓真; 林智鑫; 向琦; 周荃; 张婵娟
Original assignee: 腾讯云计算（北京）有限责任公司
Priority date: 2021-05-20
Filing date: 2021-07-19
Publication date: 2022-11-24
Also published as: CN114679290B; US20230300141A1; CN114679290A

Abstract

Disclosed in the embodiments of the present application are a network security management method and a computer device, which are applied to the technical field of computers, and are especially applied to the field of network security management. The method comprises: acquiring configuration data, wherein the configuration data comprises an access control policy of a network asset of a target tenant, and the network asset comprises a private network, a sub-network and an instance; determining, according to the configuration data, a management and control unit and an access control policy set, which corresponds to the management and control unit, wherein the management and control unit comprises one or more of a private-network-level management and control unit, a sub-network-level management and control unit and an instance-level management and control unit; and sending the access control policy set, which corresponds to the management and control unit, to an instance belonging to the management and control unit, wherein the access control policy set is used for managing and controlling network traffic of the instance. By means of the embodiments of the present application, a distributed firewall configuration can be realized, the management and control problem of in-cloud attack threats is effectively solved, and thus the network security of a cloud tenant is protected.

Description

A network security management method and computer equipment

This application claims the priority of the Chinese patent application with the application number 202110555000.8 and the title of the invention "A Network Security Management Method and Electronic Equipment" filed on May 20, 2021, the entire contents of which are incorporated in this application by reference.

technical field

The present application relates to the field of computer technology, in particular to a network security management method and computer equipment.

Background technique

Public cloud is the most common type of cloud computing deployment and is owned and operated by a cloud service (Cloud Computing) provider. In a public cloud, all resources are owned and managed by the cloud service provider, and cloud tenants share hardware, storage, and network equipment. A cloud tenant may be referred to simply as a tenant.

In order to protect the network security of tenants, the cloud service provider of the public cloud will deploy a firewall in the public cloud environment. At present, the firewall implementation method of public cloud services is mainly: at the network boundary of the public cloud, the network traffic is drawn to an independent traffic processing cluster, and the traffic processing cluster centrally detects all network traffic and user preset access control policies, and at the same time Report and store hit logs, etc.

Contents of the invention

The embodiment of the present application provides a network security management method and computer equipment, which can realize distributed firewall configuration, effectively solve the problem of management and control of attack threats in the cloud, and protect the network security of tenants.

In one aspect, an embodiment of the present application provides a network security management method, the method is executed by a computer device, and the method includes:

Acquiring configuration data, the configuration data including at least one access control policy of the target tenant's network assets, the network assets including a private network, a subnet and an instance; the private network includes at least one subnet, and the subnet includes at least one instance;

Determine the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data, and the management and control unit includes one or more of private network-level management and control units, sub-network-level management and control units, and instance-level management and control units;

The access control policy set corresponding to the management and control unit is sent to the instance belonging to the management and control unit, and the access control policy set is used to control the network traffic of the instance.

On the other hand, an embodiment of the present application provides a network security management method, the method is executed by a computer device, and the method includes:

Displaying the network assets of the target tenant in the network security management interface, the network security management interface includes a configuration area, the network assets include a private network, a subnet and an instance; the private network includes at least one subnet, and the subnet includes at least one instance;

Obtain an access control configuration operation, the access control configuration operation is input for the network asset through the configuration area;

generating configuration data according to the access control configuration operation, where the configuration data includes an access control policy of the target tenant's network assets;

Send the configuration data to the server, so that the server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data. The management and control unit includes private network level management and control units, subnet level management and control units, and instance level one or more of .

On the other hand, an embodiment of the present application provides a network security management device, which includes:

An acquisition unit, configured to acquire configuration data, the configuration data including at least one access control policy of the network asset of the target tenant, the network asset includes a private network, a subnet and an instance; the private network includes at least one subnet, and the subnet includes at least one instance;

The determination unit is used to determine one or more management and control units and the corresponding access control policy set of each management and control unit according to the configuration data, and the management and control units include private network level management and control units, subnet level management and control units, and instance level management and control units. one or more;

The sending unit is configured to send the access control policy set corresponding to each management and control unit to the instance belonging to each management and control unit, and the access control policy set is used to control the network traffic of the instance.

The display unit is used to display the network assets of the target tenant in the network security management interface, the network security management interface includes a configuration area, and the network assets include private networks, subnets and instances; the private network includes at least one of the subnets , the subnet includes at least one of the instances;

an acquisition unit, configured to acquire an access control configuration operation input for the network asset through the configuration area;

A generating unit, configured to generate configuration data according to the access control configuration operation, where the configuration data includes an access control policy of the target tenant's network assets;

A sending unit, configured to send the configuration data to the server, so that the server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data, and the management and control unit includes a private network-level management and control unit, a sub-network-level management and control unit, and an instance One or more of the level management and control units.

On the other hand, an embodiment of the present application provides a computer device, including: a processor, and a computer storage medium, the computer storage medium stores one or more instructions, and the one or more instructions are suitable for being loaded by the processor And execute the network security management method described in any one of the foregoing aspects.

On the other hand, an embodiment of the present application provides another computer device, including: a processor, and a computer storage medium, where one or more instructions are stored in the computer storage medium, and the one or more instructions are suitable for being executed by the processor Loading and executing the network security management method described in any one of the foregoing aspects.

On the other hand, an embodiment of the present application provides a computer storage medium, where computer program instructions are stored in the computer storage medium, and when the computer program instructions are executed by a processor, they are used to perform the network security management described in any of the preceding aspects method.

On the other hand, the embodiment of the present application provides a computer program product or computer program, the computer program product includes a computer program, the computer program is stored in a computer storage medium; the processor of the server reads the computer instruction from the computer storage medium , the processor executes the network security management method described in any one of the preceding aspects.

In this embodiment of the application, one or more management and control units and the corresponding access control policy set for each management and control unit are determined according to the obtained configuration data. The management and control units include private network-level management and control units, subnet-level management and control units, and instance-level management and control units. One or more of the units, and then send the access control policy set corresponding to the management and control unit to the instance belonging to the management and control unit, so that the network traffic of the instance can be effectively controlled by using the access control policy set corresponding to each management and control unit. To protect the network security of tenants on the cloud, for different instances, the access control policy set corresponding to the management and control unit to which the instance belongs is used to control the network traffic of the instance, without pulling the network traffic, based on the basic capabilities of the instance in the public cloud environment , the distributed firewall configuration can effectively solve the threat management and control scenarios in the cloud and protect the network security of cloud tenants.

Description of drawings

FIG. 1 is a schematic structural diagram of a network security management system provided by an embodiment of the present application;

FIG. 2 is a schematic flowchart of another network security management method provided by an embodiment of the present application;

FIG. 3 is a topological diagram of a user network asset provided by an embodiment of the present application;

FIG. 4 is a schematic flowchart of another network security management method provided by an embodiment of the present application;

FIG. 5 is a schematic flowchart of another network security management method provided by an embodiment of the present application;

FIG. 6 is a schematic diagram of a network security management interface provided by an embodiment of the present application;

FIG. 7 is a schematic diagram of an inbound rule configuration area provided by an embodiment of the present application;

FIG. 8 is a schematic diagram of an access control management interface provided by an embodiment of the present application;

FIG. 9 is a schematic flowchart of another network security management method provided in the embodiment of the present application;

Fig. 10 is a schematic diagram of an example policy viewing area provided by an embodiment of the present application;

FIG. 11 is a schematic diagram of a log audit interface provided by an embodiment of the present application;

FIG. 12 is a schematic flowchart of another network security management method provided in the embodiment of the present application;

FIG. 13 is a schematic flowchart of another network security management method provided in the embodiment of the present application;

FIG. 14 is a schematic structural diagram of a network security management device provided in an embodiment of the present application;

FIG. 15 is a schematic structural diagram of another network security management device provided by an embodiment of the present application;

Fig. 16 is a schematic structural diagram of a computer device provided by an embodiment of the present application;

FIG. 17 is a schematic structural diagram of another computer device provided by an embodiment of the present application.

Detailed ways

Cloud technology refers to a hosting technology that unifies a series of resources such as hardware, software, and network in a wide area network or a local area network to realize data calculation, storage, processing, and sharing.

Cloud technology (Cloud technology) is a general term for network technology, information technology, integration technology, management platform technology, application technology, etc. based on cloud computing business model applications. It can form a resource pool, which can be used on demand and is flexible and convenient. Cloud computing technology will become an important support. The background services of technical network systems require a lot of computing and storage resources, such as video websites, picture websites and more portal websites. With the rapid development and application of the Internet industry, each item may have its own identification mark in the future, which needs to be transmitted to the background system for logical processing. Data of different levels will be processed separately, and all kinds of industry data need to be powerful. The system backing support can only be realized through cloud computing.

Cloud Security refers to the general term for secure software, hardware, users, institutions, and secure cloud platforms based on cloud computing business model applications. Cloud security integrates emerging technologies and concepts such as parallel processing, grid computing, and judgment of unknown virus behavior. Through the abnormal monitoring of software behavior in the network through a large number of mesh clients, it obtains the latest information on Trojan horses and malicious programs in the Internet, and sends Go to the server for automatic analysis and processing, and then distribute the virus and Trojan solution to each client.

The main research directions of cloud security include: 1. Cloud computing security, mainly researching how to ensure the security of the cloud itself and various applications on the cloud, including cloud computer system security, safe storage and isolation of user data, user access authentication, and information transmission security , network attack protection, compliance audit, etc.; 2. Cloudification of security infrastructure, mainly researching how to use cloud computing to build and integrate security infrastructure resources, optimize security protection mechanisms, including building ultra-large-scale security events and information through cloud computing technology The collection and processing platform realizes the collection and correlation analysis of massive information, and improves the ability to control security incidents and risk control of the entire network; 3. Cloud security services, mainly researching various security services based on cloud computing platforms for users, such as Antivirus services, etc.

The embodiments of the present application mainly relate to technologies such as cloud security in the cloud technology field, and are specifically described through the following embodiments.

In order to implement the above network security management method, an embodiment of the present application provides a network security management system, please refer to FIG. 1 , which is a schematic structural diagram of a network security management system provided by the embodiment of the present application. The network security management system includes, but is not limited to, one or more clients, one or more servers, and one or more instances. In FIG. 1 , a client 101, a server 102, and an instance 103 are taken as examples. Wherein, the client 101, the server 102 and the instance 103 can establish a wireless link for communication. The number and form of devices shown in FIG. 1 are for example and do not constitute a limitation to the embodiment of the present application.

Among them, the client 101 can be used to execute the network security management method provided by the embodiment of the present application for the client, and configure the access control policy of the target tenant's network assets, so that the server can determine one or more management and control units and The access control policy set corresponding to each management and control unit. The server 102 can be used to execute the network security management method provided by the embodiment of the present application for the server, determine one or more management and control units and the access control policy set corresponding to each management and control unit according to the obtained configuration data, and then assign each management and control unit to the The access control policy set is sent to instances belonging to each control unit. The instance 103 may be configured to receive the access control policy set corresponding to the management and control unit, and use the access control policy set corresponding to the management and control unit to control the network traffic of the instance.

It should be noted that the network assets include private networks, subnets, and instances, and the management and control units include one or more of private network-level management and control units, subnet-level management and control units, and instance-level management and control units. Among them, the private network refers to the network space on the cloud dedicated to tenants, and different private networks are completely logically isolated; the subnet is the composition of the private network, and a private network is composed of at least one subnet. All cloud instance assets in the private network (such as cloud server, cloud database, etc.) must be deployed in the subnet.

In addition, the instance includes one or more of the following situations: cloud server, cloud database, elastic network card, and load balancing. Among them, the cloud server is used to provide elastic computing services, expand or reduce computing resources in real time, reduce your software and hardware procurement costs, and simplify IT operation and maintenance. It is the most important asset on the cloud; cloud database is a high-performance, high-speed Reliable, flexible and scalable database hosting service; elastic network card is an elastic network interface bound to cloud servers in the private network, which can be freely migrated among multiple cloud servers; load balancing provides safe and fast traffic distribution services, and access traffic passes through Load balancing can be automatically distributed to multiple cloud servers in the cloud, expanding the service capability of the system and eliminating single points of failure.

In one embodiment, the server 102 and the instance 103 can be independent physical servers, or server clusters or distributed systems composed of multiple physical servers, and can also provide cloud services, cloud databases, cloud computing, cloud functions, Cloud servers for basic cloud computing services such as cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery network (Content Delivery Network, CDN), and big data and artificial intelligence platforms. The client 101 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc., but is not limited thereto.

In one embodiment, the server 102 and the instance 103 can be used as nodes on the blockchain, and configuration data, management units, and access control policy sets corresponding to each management unit can be saved on the blockchain.

Based on the foregoing network security management system, an embodiment of the present application provides a network security management method. Please refer to FIG. 2 , which is a schematic flowchart of a network security management method provided by an embodiment of the present application. The network security management method can be applied to the network security management system shown in FIG. 1 and executed by a server, specifically, by a processor of the server. The network security management method includes the following steps:

S201: The server acquires configuration data.

In one embodiment, the configuration data includes at least one access control policy for network assets of the target tenant, including private networks, subnets, and instances. Wherein, the instance includes one or more of the following situations: cloud server, cloud database, elastic network card, load balancing, and the like. Optionally, the server receives configuration data sent by the client. It should be noted that the access control policy is a control policy for resource access, preventing unauthorized access to any resource, so that network assets can be accessed within the legal scope.

In one embodiment, the private network includes at least one subnet, and the subnet includes at least one instance. As shown in FIG. 3 , it shows a user network asset topology diagram provided by the embodiment of the present application. The configuration data acquired by the server includes 3 private networks (private network A, private network B, private network C) and 5 subnets (subnet A, subnet B, subnet C, subnet D, subnet E) of the target tenant ) and 2 instances (instance A and instance B). Among them, private network A includes a subnet A; private network B includes 3 subnets, namely subnet B, subnet C and subnet D; private network C includes a subnet E; subnet D includes 2 instances, respectively are instance A and instance B.

In an embodiment, the server may call an interface for obtaining network asset information on the cloud to obtain network asset information of a target tenant, and send the network asset information to a client corresponding to the target tenant. Based on this method, it is convenient for the subsequent client to configure the access control policy of the target tenant's network assets. The target tenant can be a tenant or user of the public cloud. In the public cloud, the target tenant is represented by the company name or user name or account number.

S202: The server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data.

The management and control unit includes one or more of private network-level management and control units, subnet-level management and control units, and instance-level management and control units.

Among them, the range of instances controlled by the management and control unit is in descending order: private network-level management and control units>subnet-level management and control units>instance-level management and control units. The same management and control unit has the same access control policy. The control unit is also called the control unit.

An instance asset (that is, an instance) on the cloud belongs to only one management and control unit. Based on this method, the server can maintain access control policies as little as possible and reduce system consumption.

It should be noted that when there are multiple access control policies for the same management and control unit, they can also be referred to as an access control policy set. To simplify the description, in this embodiment, "access control policy" refers to one or more access control policies.

S203: The server sends the access control policy corresponding to the management and control unit to the instances belonging to the management and control unit.

The access control policy corresponding to each management and control unit is used to control the network traffic of the instance of each management and control unit.

The access control policies in the access control policy set of each management and control unit can have one or more levels of access control policies. Exemplarily, the access control policy set of an instance-level management and control unit includes policy a, policy b, policy c, policy d, and policy e, wherein policy a and policy b correspond to the access control policy of the same instance, and policy c and policy d corresponds to the access control policy of the same subnet, and policy e corresponds to the access control policy of the private network. Based on this method, the final node where the access control policy set corresponding to each management and control unit takes effect is placed on each instance, and each instance can execute each access control policy included in the access control policy set corresponding to the management and control unit to which it belongs. The distributed configuration of the firewall can effectively solve the threat control scenarios in the cloud and protect the network security of tenants on the cloud.

In one embodiment, the server receives the access control hit information sent by each instance, and stores the access control hit information. Based on this approach, it is possible to save the hit status of each instance access control policy, such as attack logs, for easy reference by subsequent users. The access control hit information is the information generated when the access control policy is hit by the traffic on the instance.

To sum up, in the embodiment of this application, the configuration data is obtained, the configuration data includes the access control policy of the network assets of the target tenant, and the network assets include private networks, subnets and instances; according to the configuration data, the management and control unit and The access control policy set corresponding to the management and control unit, the management and control unit includes one or more of the private network level management and control unit, the subnet level management and control unit, and the instance level management and control unit; the access control policy set corresponding to the management and control unit is sent to the For the instance of the management and control unit, the access control policy set is used to control the network traffic of the instance.

It should be understood that the access control policy of the target tenant's network assets is arranged in each management and control unit, and the network traffic of the instance is controlled by using the access control policy set corresponding to the management and control unit to which the instance belongs for different instances, without the need to monitor the network traffic. Traction, based on the basic capabilities of instances in the public cloud environment, is simple to implement, and can effectively solve the threat management and control scenarios in the cloud and protect the network security of tenants on the cloud.

Fig. 4 is a schematic flowchart of another network security management method provided by an embodiment of the present application. The network security management method can be applied to the network security management system shown in FIG. 1 and executed by a server, specifically, by a processor of the server. The network security management method includes the following steps:

S401: The server acquires configuration data.

Wherein, the specific implementation manner of S401 is the same as the specific implementation manner of S201 above, and will not be repeated here.

S402: The server acquires at least one effective object of the access control policy.

In one embodiment, the validation object is any network asset of the target tenant. Based on this method, the server traverses the valid objects of each access control policy to determine one or more management units and the access control policy set corresponding to each management unit.

For example, the effective object can be any of private network, subnet and instance.

S403: The server determines whether the effective objects of the access control policy include the target instance. If there is an effective object of the access control policy including the target instance, execute S404; if there is no effective object of the access control policy including the target instance, execute S405.

S404: The server determines the instance-level management and control unit, and adds the access control policy of the target instance, the access control policy of the subnet to which the target instance belongs, and the access control policy of the private network to which the target instance belongs to the instance-level management and control unit The corresponding access control policy is centralized.

In one embodiment, the target instance is any instance of the target tenant. Different target instances correspond to different instance-level control units.

For example, if the target instance is a cloud database, the access control policy of the cloud database is policy A, the access control policy of the subnet to which the cloud database belongs is policy B, and the access control policy of the private network to which the cloud database belongs is policy C. The server determines that the access control policy of the cloud database exists, and therefore determines an instance-level management and control unit, and adds policy A, policy B, and policy C to the access control policy set corresponding to the instance-level management and control unit.

S405: The server determines whether there is an effective object of the access control policy including the subnet to which the target instance belongs. If there is an effective object of the access control policy including the access control policy of the subnet to which the target instance belongs, perform S406; if there is no effective object of the access control policy including the access control policy of the subnet to which the target instance belongs, then perform S407 .

In one embodiment, the server determines that there is no effective object of the access control policy including the target instance, and therefore further determines whether there is an effective object of the access control policy including the subnet to which the target instance belongs.

S406: The server determines the subnet level management and control unit, and adds the access control policy of the subnet to which the target instance belongs and the access control policy of the private network to which the target instance belongs to the access control policy set corresponding to the subnet level management and control unit .

For example, the target instance is a cloud database, the access control policy of the cloud database does not exist, the access control policy of the subnet to which the cloud database belongs is policy B, and the access control policy of the private network to which the cloud database belongs is policy C. The server determines that the access control policy of the subnet to which the cloud database belongs exists, and therefore determines a subnetwork-level management and control unit, and adds policy B and policy C to the access control policy set corresponding to the subnetwork-level management and control unit.

S407: If the effective object of the access control policy includes the access control policy of the private network to which the target instance belongs, determine the private network-level management and control unit, and add the access control policy of the private network to which the target instance belongs to the private network-level control The access control policy corresponding to the unit is centralized.

In one embodiment, the server determines that there is no effective object of the access control policy including the target instance and the subnet to which the target instance belongs, and the effective object of the existing access control policy includes the private network to which the target instance belongs, then determine the private network level management and control unit, and determine the access control policy set corresponding to the private network level management and control unit.

For example, if the target instance is a cloud database, neither the access control policy of the cloud database nor the access control policy of the subnet to which the cloud database belongs exists, and the access control policy of the private network to which the cloud database belongs is policy C. The server determines that the access control policy of the private network to which the cloud database belongs exists, thus determines a private network-level management and control unit, and adds policy C to the access control policy set corresponding to the private network-level management and control unit.

In one embodiment, after the server determines one or more management and control units and the access control policy set corresponding to each management and control unit according to the configuration data, it needs to detect whether the access control policy of the network assets of the target tenant has changed. If there is a change, The access control policy set corresponding to the management and control unit is updated.

It should be noted that S402-S407 are a specific implementation manner of the foregoing S202.

S408: For the first management and control unit among the one or more management and control units, if the first management and control unit is an instance-level management and control unit, the server assigns the instance indicated by the effective object of the instance-level management and control unit to the first management and control unit .

In one embodiment, the first management unit is any one of the one or more management units. An instance asset on the cloud belongs to only one management and control unit. The management and control unit to which the instance belongs follows the principle of the smallest control scope, and the management and control scope from large to small is: private network-level management and control unit>subnet-level management and control unit>instance-level network unit.

For example, assuming that the first management and control unit is an instance-level management and control unit A, and the instance indicated by the effective object of the instance-level management and control unit is a cloud database, then the cloud database is divided into the instance-level management and control unit A.

In one embodiment, if the first management and control unit is a subnetwork-level management and control unit, the server divides the instance included in the subnet indicated by the effective object of the subnetwork-level management and control unit to the first management and control unit.

For example, assuming that the first management and control unit is a subnetwork-level management and control unit A, the subnetwork indicated by the effective object of the subnetwork-level management and control unit is subnetwork A, where subnetwork A includes instance A and instance B. Therefore, both instance A and instance B are assigned to the subnetwork-level management and control unit A.

In one embodiment, if the first management and control unit is a private network-level management and control unit, the server divides the instance included in the private network indicated by the effective object of the private network-level management and control unit to the first management and control unit.

For example, assuming that the first management and control unit is a private network-level management and control unit A, the private network indicated by the effective object of the private network-level management and control unit is a private network A, and the private network A includes a subnet A and a subnet B, where the subnet Network A includes instance A and instance B, and subnet B includes instance C. Therefore, instance A, instance B, and instance C are all divided into the private network-level management and control unit A.

S409: The server sends the access control policy set corresponding to each management and control unit to the instances belonging to each management and control unit.

For example, instance Q belongs to instance-level management and control unit 1, and the access control policy set corresponding to instance-level management and control unit 1 includes policy A, policy B, and policy C. Therefore, the server sends policy A, policy B, and policy C to instance Q, and instance Q Q controls incoming and outgoing network traffic according to policy A, policy B, and policy C.

Wherein, the specific implementation manner of S409 is the same as the specific implementation manner of S203 above, and will not be repeated here.

To sum up, in the embodiment of this application, the configuration data is obtained, the configuration data includes the access control policy of the network assets of the target tenant, and the network assets include private networks, subnets and instances; according to the configuration data, one or more Each management and control unit and the access control policy set corresponding to each management and control unit, the management and control unit includes one or more of the private network-level management and control unit, sub-network-level management and control unit, and instance-level management and control unit; each management and control unit corresponds to The access control policy set is sent to the instances belonging to each management and control unit, and the access control policy set is used to control the network traffic of the instance. It should be understood that the access control policy of the target tenant's network assets is arranged in each management and control unit, and the network traffic of the instance is controlled by using the access control policy set corresponding to the management and control unit to which the instance belongs for different instances. Traction, based on the basic capabilities of instances in the public cloud environment, is simple to implement, and can effectively solve the threat management and control scenarios in the cloud and protect the network security of tenants on the cloud.

Please refer to FIG. 5 , which is a schematic flowchart of another network security management method provided by the embodiment of the present application. The network security management method can be applied to the network security management system shown in FIG. 1 and executed by a client, specifically, it can be executed by a processor of the client. The network security management method includes the following steps:

S501: The client displays the network assets of the target tenant on the network security management interface.

In one embodiment, the network assets include private networks, subnets and instances. As shown in Figure 6, it shows a schematic diagram of a network security management interface provided by the embodiment of the present application. The user can obtain all the network assets of the user through the asset scanning option or the asset synchronization option in the interface. The user can also use the Set an asset scanning cycle (such as a cycle of 7 days or a cycle of 24 hours), and scan all network assets of the user in a fixed cycle.

In addition, the network security management interface also includes the number of public network assets, the number of intranet assets, the number of private networks, the number of exposed ports, the number of exposed vulnerabilities, and the number of security incidents. Individual bar graphs for peak bandwidth, cumulative incoming traffic, cumulative outgoing traffic, security events, exposed ports, and exposed vulnerabilities. The network security management interface also provides 6 network asset options, which are public network asset options, intranet asset options, private network asset options, subnet options, exposed port options, and exposed vulnerability options. When the client detects the user's click operation on these 6 network asset options, it will visually display the network asset corresponding to the network asset option selected by the click operation, including the name or identity number of the network asset (Identity Document , ID), VPC (Virtual Private Cloud, VPC), Internet Protocol version 4 classless inter-domain routing (IPv4CIDR), region, availability zone, cloud server, availability (Internet Protocol, IP), resource label. It should be noted that users can also quickly query network assets through the query area.

In one embodiment, the network security management interface further includes a configuration area, so that users can configure access control policies for the network assets through the configuration area. As shown in Figure 7, it shows a schematic diagram of an inbound rule configuration area provided by the embodiment of the present application. The configuration area includes access source type options, port protocol type options, and rule priority options, where the access source type options include IP Address and parameter templates, port protocol type options include manual filling and parameter templates, rule priority options include first and last. It should be noted that the parameter template represents a collection of IP addresses, and all configurations are configured based on the parameter template, thereby reducing the workload of user configuration policies.

In addition, the access control policy configured by the user needs to include access purpose type, execution sequence, access source, access purpose, destination port, protocol, policy and description. Among them, the types of access purposes include cloud servers, cloud databases, elastic network cards, load balancing, subnets, private networks, and resource labels. Policies include blocking or allowing various Layer 3 network protocol rules. Layer 3 network protocols include: transmission control Protocol (Transmission Control Protocol, TCP), User Datagram Protocol (User Datagram Protocol, UDP), Control Message Protocol (Internet Control Message Protocol, ICMP), etc. It should be noted that the user can realize the synchronization of inbound rules and outbound rules through the option of automatic two-way delivery, thereby reducing the workload of user configuration policies.

For example, the access control policy configured by the client can be: the execution sequence is 4, the access source is 0.0.0.0/0, the access destination is Ins-hkpl3ga1, the destination port is -1/-1, the protocol is TCP, and the policy is block break, the description is rule, and the access type is subnet.

S502: The client acquires an access control configuration operation input for the network asset through the configuration area.

In one embodiment, the client configures access control policies for different network assets in the configuration area, and obtains the input access control configuration operations for the network assets, so that the subsequent client generates configuration data for the access control configuration operations.

S503: The client generates configuration data according to the access control configuration operation.

In one embodiment, the configuration data includes access control policies for the target tenant's network assets. The client displays the access control policy of the target tenant's network assets on the access control management interface. As shown in FIG. 8 , it shows a schematic diagram of an access control management interface provided by the embodiment of the present application. The security group of the enterprise is Shanghai, which includes 3 rules in total. The access control management interface includes the number of inbound rules, the number of outbound rules, the number of security groups, and the security group quota. The details of the security group quota can be viewed, and the quota can also be managed. The access control management interface also includes an operation log, and users can view recent operation records.

In addition, the access control policies of all network assets of the target tenant displayed on the access control management interface include execution sequence, access source, access purpose, destination port, protocol, policy, description, status, and operations, where operations include editing, inserting, and deleting Options. Users can also add new access control policies in the Add Rule option in the access control management interface. It should be noted that users can also quickly query access control policies through the query area.

S504: The client sends the configuration data to the server, so that the server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data.

In one embodiment, the management and control unit includes one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit. The client sends the configuration data to the server, so that the server can determine one or more management and control units and the access control policy set corresponding to each management and control unit according to the configuration data.

To sum up, in the embodiment of this application, the network assets of the target tenant are displayed in the network security management interface, the access control configuration operation input for the network assets is obtained through the configuration area, and then the configuration is generated according to the access control configuration operation data, and send the configuration data to the server. It should be understood that the access control policy of the target tenant's network assets is configured in the configuration area, and the configuration data is sent to the server, so that the server determines one or more management and control units and the corresponding management and control units according to the configuration data. Access control policy set, users can flexibly configure the access control policies of each network asset as needed.

FIG. 9 is a schematic flowchart of another network security management method provided by the embodiment of the present application. The network security management method can be applied to the network security management system shown in FIG. 1 and executed by a client, specifically, it can be executed by a processor of the client. The network security management method includes the following steps:

S901: The client displays the network assets of the target tenant on the network security management interface.

S902: The client acquires an access control configuration operation input for the network asset through the configuration area.

S903: The client generates configuration data according to the access control configuration operation.

S904: The client sends the configuration data to the server, so that the server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data.

Wherein, the specific implementation manners of S901-S904 are the same as the specific implementation manners of S501-S504 above, and will not be repeated here.

S905: The client sends a policy acquisition request to the server in response to the policy viewing instruction for the target instance of the target tenant.

In one embodiment, the policy acquisition request includes an instance identifier of the target instance. The client determines the instance ID of the target instance according to the policy viewing instruction of the target instance of the target tenant, and the server sends a policy acquisition request, so that the server determines the access control policy set corresponding to the management and control unit to which the target instance belongs.

S906: The client receives the access control policy set corresponding to the management and control unit to which the target instance belongs sent by the server.

In one embodiment, the client obtains the access control policy set corresponding to the management and control unit to which the target instance belongs, so that the client determines the effective access control policy of the target instance.

S907: The client displays one or more access control policies included in the access control policy set on the network security management interface.

In one embodiment, the user can view the instance policy area in the network security management interface, and according to the user's click operation on different instance options, the access control policy set of the instance corresponding to the instance option corresponding to the click operation is displayed in the network security in the management interface. As shown in Figure 10, it shows a schematic diagram of an example policy viewing area provided by the embodiment of the present application. The example policy viewing area includes inbound rule options and outbound rule options. The inbound rule indicates that other servers or devices access the target Tenant rules, outbound rules indicate the rules for the target tenant to access other servers or devices. The instance policy viewing area also includes adding rule options, importing rule options, sorting options, deleting options, and one-click release options, among which the add rule option is used to add a new access control policy, and the one-click release option is used to The control policies are all set to allow. In addition, the displayed access control policy includes source, protocol port, policy, comment, modification time and operation, where the operation includes edit, insert and delete options.

In one embodiment, the client displays the access control hit information of each instance in the log audit interface. Based on this method, it is beneficial to improve the reliability of network security management. As shown in Figure 11, it shows a schematic diagram of a log audit interface provided by the embodiment of the present application. The log audit interface includes inbound rules and outbound rules. The access control hit information includes hit time, access source, source port, Access destination (My Assets), destination port, protocol and policy.

To sum up, in the embodiment of this application, the network assets of the target tenant are displayed in the network security management interface, the access control configuration operation input for the network assets is obtained through the configuration area, and then the configuration is generated according to the access control configuration operation data, and send the configuration data to the server. It should be understood that the access control policy of the target tenant's network assets is configured in the configuration area, and the configuration data is sent to the server, so that the server determines one or more management and control units and the corresponding management and control units according to the configuration data. Access control policy set.

Fig. 12 is a schematic flowchart of another network security management method provided by the embodiment of the present application. The network security management method can be applied to the network security management system shown in FIG. 1 , and is realized by interaction among the server, the client, and the instance, and specifically can be executed by a processor of the server, a processor of the client, and a processor of the instance. The network security management method includes the following steps:

S1201: The client displays the network assets of the target tenant on the network security management interface.

S1202: The client acquires an access control configuration operation input for the network asset through the configuration area.

S1203: The client generates configuration data according to the access control configuration operation.

S1204: The client sends the configuration data to the server.

S1205: The server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data.

S1206: The server sends the access control policy set corresponding to the management and control unit to the instances belonging to the management and control unit.

S1207: The instance receives the access control policy set corresponding to the management and control unit to which the instance belongs.

S1208: The instance controls network traffic according to the access control policy set corresponding to the control unit, and generates access control hit information.

Wherein, the specific implementation manners of S1201-S1208 are the same as the specific implementation manners described in the foregoing embodiments, and will not be repeated here.

To sum up, in the embodiment of this application, the client configures the access control policy of the network assets of the target tenant, so that the server determines one or more management and control units and the access control policies corresponding to each management and control unit according to the configuration data. Policy set; the server determines one or more management and control units and the corresponding access control policy set of each management and control unit according to the obtained configuration data, and then sends the access control policy set corresponding to each management and control unit to the Instance; the instance receives the access control policy set corresponding to the management and control unit, and uses the access control policy set corresponding to the management and control unit to control the network traffic of the instance. Based on the method described in Figure 12, distributed firewall configuration can be realized, effectively solving the problem of management and control of attack threats in the cloud, and protecting the network security of cloud tenants.

Fig. 13 is a schematic flowchart of another network security management method provided by the embodiment of the present application. The network security management method can be applied to the network security management system shown in FIG. 1 , and is realized by interaction among the server, the client, and the instance, and specifically can be executed by a processor of the server, a processor of the client, and a processor of the instance. The network security management method includes the following steps:

S1301: Tenant network discovery. Wherein, the tenant corresponds to the target tenant in the above embodiment.

S1302: Discovering the tenant instance.

S1303: Network and instance visual arrangement.

S1304: The console centrally configures the access control policy.

In one embodiment, the console obtains the above relevant instance data and network data at regular intervals, and compares them with the existing data, and the changed network and instance are updated synchronously in time to ensure real-time data.

S1305: Divide management and control units, and generate corresponding access control policies for each management and control unit.

S1306: Determine whether the strategy to which the management and control unit belongs has changed. If the policy to which the management and control unit belongs changes, execute S1307; if the policy to which the management and control unit belongs does not change, execute S1308.

S1307: Update the policy of the management and control unit.

S1308: Divide the management and control unit to which the instance belongs, and enable the access control policy of the management and control unit to take effect on the instance.

Among them, the specific way for the access control policy of the management and control unit to take effect on the instance is to send the access control policy set corresponding to each management and control unit to the instance belonging to each management and control unit, and the instance uses the access control policy set for network traffic Control.

S1309: Report and display the access control log.

In one embodiment, each instance sends log messages through the message queue service according to the hit situation of the traffic on the instance and the policy, and the log messages are processed by the log service for unified storage and display.

Wherein, the specific implementation manners of S1301-S1309 are the same as the specific implementation manners described in the foregoing embodiments, and will not be repeated here. S1301-S1303 are used for network and instance visualization, and S1305-S1308 are used for policy arrangement and validation.

To sum up, in the embodiment of this application, the client configures the access control policy of the network assets of the target tenant, so that the server determines one or more management and control units and the access control policies corresponding to each management and control unit according to the configuration data. Policy set; the server determines one or more management and control units and the corresponding access control policy set of each management and control unit according to the obtained configuration data, and then sends the access control policy set corresponding to each management and control unit to the Instance; the instance receives the access control policy set corresponding to the management and control unit, and uses the access control policy set corresponding to the management and control unit to control the network traffic of the instance. Based on the method described in Figure 13, distributed firewall configuration can be realized, which can effectively solve the problem of management and control of attack threats in the cloud, and protect the network security of cloud tenants.

Based on the foregoing network security management method, an embodiment of the present application provides a network security management device. Please refer to FIG. 14 , which is a schematic structural diagram of a network security management device provided by an embodiment of the present application. The network security management device 1400 can run the following units:

The obtaining unit 1401 is configured to obtain configuration data, the configuration data includes access control policies of network assets of the target tenant, the network assets include private networks, subnets and instances; the private network includes at least one subnet, and the subnet includes at least one instance.

The determining unit 1402 is configured to determine a management and control unit and an access control policy set corresponding to the management and control unit according to the configuration data, the management and control unit includes one or more of private network-level management and control units, sub-network-level management and control units, and instance-level management and control units ;

The sending unit 1403 is configured to send the access control policy set corresponding to the management and control unit to the instance belonging to the management and control unit, and the access control policy set is used to control the network traffic of the instance.

In one embodiment, the determining unit 1402, when determining one or more management and control units and the access control policy set corresponding to each management and control unit according to the configuration data, is specifically configured to: obtain the effective object of the at least one access control policy; If the effective objects of the access control policy include the target instance, determine the instance-level management and control unit, and the target instance is any instance of the target tenant; the access control policy of the target instance, the subnet to which the target instance belongs The access control policy and the access control policy of the private network to which the target instance belongs are added to the access control policy set corresponding to the instance-level management and control unit.

In one embodiment, the determining unit 1402 is further configured to determine the subnet if there is no effective object of the access control policy including the target instance, but the effective object of the access control policy includes the subnet to which the target instance belongs. Network-level management and control unit; add the access control policy of the subnet to which the target instance belongs and the access control policy of the private network to which the target instance belongs to the access control policy set corresponding to the subnetwork-level management and control unit.

In one embodiment, the determining unit 1402 is further configured to: if there is no effective object of the access control policy including the target instance and the subnet to which the target instance belongs, but there is an effective object of the access control policy including the target instance The private network to which it belongs determines the private network-level management and control unit; the access control policy of the private network to which the target instance belongs is added to the access control policy set corresponding to the private network-level management and control unit.

In one embodiment, the device further includes a division unit, configured to: for the instance-level management and control unit, divide the instance indicated by the effective object of the instance-level management and control unit into the instance-level management and control unit; Network-level management and control unit, the instance included in the subnet indicated by the effective object of the sub-network-level management and control unit is divided into the sub-network-level management and control unit; for the private network-level management and control unit, the effective The instance in the private network indicated by the object is divided into the private network level management and control unit.

According to an embodiment of the present application, various steps involved in the network security management method shown in FIG. 2 may be executed by various units in the network security management device shown in FIG. 14 . For example, step S201 described in FIG. 2 may be performed by the acquisition unit 1401 in the network security management device 1400 shown in FIG. 14, and step S202 may be performed by the determination unit 1402 in the network security management device 1400 shown in FIG. 14. Step S203 may be performed by the sending unit 1403 in the network security management apparatus 1400 shown in FIG. 14 .

According to another embodiment of the present application, each unit in the network security management device shown in FIG. Splitting into multiple functionally smaller units can achieve the same operation without affecting the realization of the technical effects of the embodiments of the present application. The above-mentioned units are divided based on logical functions. In practical applications, the functions of one unit may also be realized by multiple units, or the functions of multiple units may be realized by one unit. In other embodiments of the present application, the network-based security management device may also include other units. In practical applications, these functions may also be implemented with the assistance of other units, and may be implemented cooperatively by multiple units.

According to another embodiment of the present application, it can be implemented on a general-purpose computing device such as a computer including processing elements such as a central processing unit (CPU), a random access storage medium (RAM), and a read-only storage medium (ROM) and storage elements. Running a computer program (including program code) capable of executing the steps involved in the corresponding method as shown in Figure 2 to construct a network security management device as shown in Figure 14 and to implement the network security management method of the embodiment of the present application . The computer program may be recorded in, for example, a computer storage medium, loaded into the above-mentioned computing device through the computer storage medium, and run there.

In this embodiment of the application, one or more management and control units and the corresponding access control policy set for each management and control unit are determined according to the obtained configuration data, where the management and control units include private network-level management and control units, sub-network-level management and control units, and instance One or more of the level management and control units, and then send the access control policy set corresponding to each management and control unit to the instances belonging to each management and control unit, so as to use the access control policy set corresponding to each management and control unit to the instance network Traffic is effectively managed and controlled to protect the network security of tenants on the cloud. In this way, for different instances, the access control policy set corresponding to the management and control unit to which the instance belongs is used to control the network traffic of the instance without pulling the network traffic. Based on the basic capabilities of the instance in the public cloud environment, the implementation is simple and It can effectively solve the threat management and control scenarios in the cloud and protect the network security of cloud tenants.

Based on the foregoing network security management method, an embodiment of the present application provides another network security management device. Please refer to FIG. 15, which is a schematic structural diagram of a network security management device provided in the embodiment of the present application. The network security management device 1500 can run the following units:

The display unit 1501 is configured to display the network assets of the target tenant in the network security management interface, the network security management interface includes a configuration area, and the network assets include private networks, subnets and instances;

An acquisition unit 1502, configured to acquire access control configuration operations input for the network asset through the configuration area;

The generating unit 1503 is configured to generate configuration data according to the access control configuration operation, where the configuration data includes the access control policy of the target tenant's network assets;

The sending unit 1504 is configured to send the configuration data to the server, so that the server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data, and the management and control unit includes a private network level management and control unit, a subnetwork level management and control unit, and One or more of instance-level control units.

In one embodiment, the device further includes a response unit and a receiving unit, the response unit is configured to send a policy acquisition request to the server in response to a policy viewing instruction for the target instance of the target tenant, and the policy acquisition request includes the target The instance identifier of the instance; the receiving unit is used to receive the access control policy set corresponding to the management and control unit to which the target instance belongs sent by the server; the display unit is also used to display one of the access control policy sets included in the network security management interface or multiple access control policies.

According to an embodiment of the present application, each step involved in the network security management method shown in FIG. 5 may be executed by each unit in the network security management device shown in FIG. 15 . For example, step S501 described in FIG. 5 may be performed by the presentation unit 1501 in the network security management device 1500 shown in FIG. 15, and step S502 may be performed by the acquisition unit 1502 in the network security management device 1500 shown in FIG. 15. Step S503 may be performed by the generating unit 1503 in the network security management device 1500 shown in FIG. 15 , and step S504 may be performed by the sending unit 1504 in the network security management device 1500 shown in FIG. 15 .

According to another embodiment of the present application, it can be implemented on a general-purpose computing device such as a computer including processing elements such as a central processing unit (CPU), a random access storage medium (RAM), and a read-only storage medium (ROM) and storage elements. Running a computer program (including program code) capable of executing the steps involved in the corresponding method as shown in Figure 2 to construct a network security management device as shown in Figure 9 and to implement the network security management method of the embodiment of the present application . The computer program may be recorded in, for example, a computer storage medium, loaded into the above-mentioned computing device through the computer storage medium, and run there.

In the embodiment of this application, the network assets of the target tenant are displayed on the network security management interface, the access control policy of the network assets of the target tenant can be configured in the configuration area, and the configuration data is sent to the server, so that the server according to The configuration data determines one or more management and control units and the set of access control policies corresponding to each management and control unit. In this way, the access control policy of the network assets of the target tenant is configured in the configuration area, and the configuration data is sent to the server, so that the server can determine one or more management and control units and the corresponding management and control units according to the configuration data. Access control policy set.

Based on the above embodiments of the network security management method and the network security management device, the embodiment of the present application provides a computer device, and the computer device described here corresponds to the aforementioned server. Please refer to FIG. 16 , which is a schematic structural diagram of a server provided by an embodiment of the present application. The computer device 1600 may at least include: a processor 1601 , a communication interface 1602 and a computer storage medium 1603 . Wherein, the processor 1601, the communication interface 1602, and the computer storage medium 1603 may be connected through a bus or in other ways.

The computer storage medium 1603 may be stored in the memory 1604 of the computer device 1600, the computer storage medium 1603 is used to store a computer program, the computer program includes program instructions, and the processor 1601 is used to execute the computer storage medium 1603 stored program instructions. Processor 1601 (or CPU (Central Processing Unit, central processing unit)) is the computing core and control core of computer device 1600, which is suitable for implementing one or more instructions, specifically for loading and executing:

Obtain configuration data, the configuration data includes the access control policy of the network assets of the target tenant, the network assets include private networks, subnets and instances; determine one or more management and control units and the corresponding access control of each management and control unit according to the configuration data Policy set, the management and control unit includes one or more of the private network level management and control unit, subnet level management and control unit, and instance level management and control unit; the access control policy set corresponding to each management and control unit is sent to the For an instance of an organization, the access control policy set is used to control the network traffic of the instance.

Based on the above embodiments of the network security management method and the network security management device, the embodiment of the present application further provides another computer device, where the computer device corresponds to the aforementioned client. Please refer to FIG. 17, which is a schematic structural diagram of a computer device provided by an embodiment of the present application. The computer device 1700 may at least include: a processor 1701, an input interface 1702, an output interface 1703, and a computer storage medium 1704. connect.

The computer storage medium 1704 may be stored in the memory 1705 of the computer device 1700, the computer storage medium 1701 is used to store a computer program, the computer program includes program instructions, and the processor 1701 is used to execute the computer storage medium 1704 stored program instructions. Processor 1701 (or CPU (Central Processing Unit, central processing unit)) is the computing core and control core of computer equipment, which is suitable for implementing one or more instructions, specifically for loading and executing:

Display the network assets of the target tenant in the network security management interface, the network security management interface includes a configuration area, and the network assets include private networks, subnets, and instances; obtain access control configuration operations input for the network assets through the configuration area; Generate configuration data according to the access control configuration operation, the configuration data includes the access control policy of the network assets of the target tenant; send the configuration data to the server, so that the server determines one or more management and control units and each An access control policy set corresponding to a management and control unit, which includes one or more of private network-level management and control units, subnet-level management and control units, and instance-level management and control units.

The embodiment of the present application also provides a computer storage medium (Memory). The computer storage medium is a memory device in a computer device and is used to store programs and data. It can be understood that the computer storage medium here may include a built-in storage medium in the computer device, and certainly may include an extended storage medium supported by the computer device. A computer storage medium provides a storage space that stores an operating system of a computer device. Moreover, one or more instructions suitable for being loaded and executed by the

processor

1601 or 1701 are also stored in the storage space, and these instructions may be one or more computer programs (including program codes). It should be noted that the computer storage medium here can be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as at least one disk memory; computer storage media.

In one embodiment, the computer storage medium can be loaded by the processor 1601 and execute one or more instructions stored in the computer storage medium, so as to implement the corresponding steps of the above-mentioned network security management method shown in FIG. 2 .

In other embodiments, the computer storage medium may be loaded by the processor 1701 and execute one or more instructions stored in the computer storage medium, so as to implement the corresponding steps of the above-mentioned network security management method shown in FIG. 5 .

According to one aspect of the present application, an embodiment of the present application further provides a computer product or computer program, where the computer product or computer program includes computer instructions, and the computer instructions are stored in a computer storage medium.

Optionally, the processor 1601 reads the computer instruction from the computer storage medium, and the processor 1601 executes the computer instruction, so that the computer device executes the network security management method shown in FIG. 2 .

Optionally, the processor 1701 reads the computer instruction from a computer storage medium, and the processor 1701 executes the computer instruction, so that the computer device executes the network security management method shown in FIG. 5 .

Those skilled in the art can appreciate that the units and steps of each example described in conjunction with the embodiments disclosed in this application can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. A computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. A computer can be a general purpose computer, special purpose computer, computer network, or other programmable device. Computer instructions may be stored in or transmitted across computer storage media. Computer instructions may be transferred from one website site, computer, server, or data center to another website site by wired (e.g., coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) , computer, server or data center for transmission. The computer storage medium may be any available medium that can be accessed by a computer, or a data storage device including a server, a data center, and the like integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (Solid State Disk, SSD)), etc.

The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims

A network security management method, the method is executed by a computer device, the method comprising:

Obtaining configuration data, the configuration data including at least one access control policy for the target tenant's network assets, the network assets including private networks, subnets, and instances; the private network including at least one of the subnets, the subnets comprising at least one of said instances;

According to the configuration data, determine a management and control unit and an access control policy set corresponding to the management and control unit, where the management and control unit includes one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit;

The access control policy set corresponding to the management and control unit is sent to the instance belonging to the management and control unit, and the access control policy set is used to control the network traffic of the instance.
According to the method according to claim 1, the determining the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data includes:

Obtain the effective object of the at least one access control policy;

If the effective object of the access control policy includes a target instance, then determine the instance-level management and control unit, and the target instance is any instance of the target tenant;

Add the access control policy of the target instance, the access control policy of the subnet to which the target instance belongs, and the access control policy of the private network to which the target instance belongs to the access control policy set corresponding to the instance-level management and control unit .
The method according to claim 2, said method further comprising:

If there is no effective object of the access control policy including the target instance, but the effective object of the access control policy includes the subnet to which the target instance belongs, then determine the subnet level management and control unit;

Add the access control policy of the subnet to which the target instance belongs and the access control policy of the private network to which the target instance belongs to the access control policy set corresponding to the subnet level management and control unit.
The method of claim 3, further comprising:

If there is no effective object of the access control policy including the target instance and the subnet to which the target instance belongs, but there is an effective object of the access control policy including the private network to which the target instance belongs, then determine private Network-level management and control unit;

Add the access control policy of the private network to which the target instance belongs to the access control policy set corresponding to the private network level management and control unit.
According to the method according to any one of claims 1 to 4, before sending the access control policy set corresponding to the management and control unit to instances belonging to the management and control unit, the method further includes:

For the instance-level management and control unit, divide the instance indicated by the effective object of the instance-level management and control unit into the instance-level management and control unit;

For the subnetwork-level management and control unit, divide the instances included in the subnet indicated by the effective object of the subnetwork-level management and control unit into the subnetwork-level management and control unit;

For the private network-level management and control unit, the instance in the private network indicated by the effective object of the private network-level management and control unit is divided into the private network-level management and control unit.
A network security management method, the method is executed by a computer device, the method comprising:

The network assets of the target tenant are displayed in the network security management interface, the network security management interface includes a configuration area, the network assets include private networks, subnets and instances; the private network includes at least one of the subnets, the a subnet comprising at least one of said instances;

obtaining an access control configuration operation entered for the network asset through the configuration area;

generating configuration data according to the access control configuration operation, the configuration data including access control policies for network assets of the target tenant;

sending the configuration data to the server, so that the server determines the management and control unit and the access control policy set corresponding to the management and control unit according to the configuration data, and the management and control unit includes a private network level management and control unit, a subnetwork level management and control unit, and One or more of instance-level control units.
The method of claim 6, further comprising:

sending a policy acquisition request to the server in response to a policy viewing instruction for a target instance of the target tenant, where the policy acquisition request includes an instance identifier of the target instance;

receiving the access control policy set corresponding to the management and control unit to which the target instance belongs sent by the server;

One or more access control policies included in the access control policy set are displayed on the network security management interface.
A network security management device, said device comprising:

An acquisition unit, configured to acquire configuration data, where the configuration data includes an access control policy of a network asset of a target tenant, where the network asset includes a private network, a subnet, and an instance; the private network includes at least one of the subnets, and the said subnet includes at least one of said instances;

A determining unit, configured to determine a management and control unit and an access control policy set corresponding to the management and control unit according to the configuration data, where the management and control unit includes one of a private network-level management and control unit, a sub-network-level management and control unit, and an instance-level management and control unit or more;

A sending unit, configured to send the access control policy set corresponding to the management and control unit to the instance belonging to the management and control unit, where the access control policy set is used to control the network traffic of the instance.
The device according to claim 8,

The determining unit is configured to obtain the effective object of the at least one access control policy; if the effective object of the access control policy includes a target instance, determine an instance-level management and control unit, and the target instance is the target tenant any instance of ; add the access control policy of the target instance, the access control policy of the subnet to which the target instance belongs, and the access control policy of the private network to which the target instance belongs to the corresponding instance-level management and control unit Centralized access control policies.
The device according to claim 9,

The determining unit is configured to determine the subnetwork level if there is no effective object of the access control policy including the target instance, but the effective object of the access control policy includes the subnet to which the target instance belongs A management and control unit; adding the access control policy of the subnet to which the target instance belongs and the access control policy of the private network to which the target instance belongs to the access control policy set corresponding to the subnet level management and control unit.
The device according to claim 10,

The determining unit is configured to: if there is no effective object of the access control policy including the target instance and the subnet to which the target instance belongs, but the effective object of the access control policy includes the target instance to which determine the private network-level management and control unit; add the access control policy of the private network to which the target instance belongs to the access control policy set corresponding to the private network-level management and control unit.
The device according to any one of claims 8 to 11, further comprising a dividing unit;

The dividing unit is configured to, for the instance-level management and control unit, divide the instance indicated by the effective object of the instance-level management and control unit into the instance-level management and control unit; The instances included in the subnet indicated by the effective object of the subnetwork-level management and control unit are divided into the subnetwork-level management and control unit; for the private network-level management and control unit, the private Instances in the network are divided into the private network-level management and control units.
A network security management device, said device comprising:

The display unit is used to display the network assets of the target tenant in the network security management interface, the network security management interface includes a configuration area, the network assets include private networks, subnets and instances; the private network includes at least one of the a subnet comprising at least one of said instances;

an acquisition unit, configured to acquire an access control configuration operation input for the network asset through the configuration area;

a generating unit, configured to generate configuration data according to the access control configuration operation, where the configuration data includes an access control policy of the target tenant's network assets;

A sending unit, configured to send the configuration data to a server, so that the server determines one or more management and control units and an access control policy set corresponding to each management and control unit according to the configuration data, and the management and control units include private network level One or more of management and control units, subnet-level management and control units, and instance-level management and control units.
The device according to claim 13, further comprising a response unit and a receiving unit;

The response unit is configured to send a policy acquisition request to the server in response to a policy viewing instruction for a target instance of the target tenant, where the policy acquisition request includes an instance identifier of the target instance;

The receiving unit is configured to receive the access control policy set corresponding to the management and control unit to which the target instance belongs sent by the server;

The display unit is further configured to display one or more access control policies included in the access control policy set on the network security management interface.
A computer device, the computer device includes: a processor, and a computer storage medium, the computer storage medium stores one or more instructions, and the one or more instructions are suitable for being loaded by the processor and executed as The method according to any one of claims 1 to 5; or, the one or more instructions are adapted to be loaded by the processor and execute the method according to claim 6 or 7.
A computer storage medium, the computer storage medium stores one or more instructions, and the one or more instructions are suitable for being loaded by a processor and executing the method according to any one of claims 1 to 5; or, The one or more instructions are adapted to be loaded by the processor and execute the method as claimed in claim 6 or 7.